awareness of security exploits and their causes n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Awareness of Security Exploits and Their Causes PowerPoint Presentation
Download Presentation
Awareness of Security Exploits and Their Causes

Loading in 2 Seconds...

play fullscreen
1 / 72

Awareness of Security Exploits and Their Causes - PowerPoint PPT Presentation


  • 114 Views
  • Uploaded on

Awareness of Security Exploits and Their Causes. Prabhaker Mateti Wright State University Aug – Dec 2014 On Sabbatical at Amrita Viswa Vidyapeetham. Some Numbers. Amazon.com book search. Security Incidents / CERT. 2013: 100000+

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Awareness of Security Exploits and Their Causes' - montgomery-arjun


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
awareness of security exploits and their causes

Awareness of Security Exploits and Their Causes

Prabhaker Mateti

Wright State University

Aug – Dec 2014 On Sabbatical at Amrita Viswa Vidyapeetham

some numbers
Some Numbers

Security Awareness 2014

amazon com book search
Amazon.com book search

Security Awareness 2014

security incidents cert
Security Incidents / CERT
  • 2013: 100000+
  • “CERT uses the word "incident" as an administrative term …
  • A single "incident" can involve anything from a single host computer to a very large number of host computers, at a single site or at hundreds of thousands of sites.”

Security Awareness 2014

number of hosts in the dns
Number of Hosts in the DNS
  • 2003 171,638,297
  • 2000 72,398,092

Security Awareness 2014

sizes of some software
Sizes of Some Software

Security Awareness 2014

bugs per thousand loc
Bugs per Thousand LOC
  • Table from “Code Complete” book
  • Not to be taken as too authentic
  • Don’t believe the 0 at the low end

Security Awareness 2014

so you got r00ted
“So you got r00ted.’’
  • Your machine has been compromised.
  • root = administrator = super-user
  • An unauthorized user has obtained root privileges.
  • A rootkit may have been installed.
  • Forensic analyses made with tools existing on that system are unreliable.

Security Awareness 2014

denial of service dos
Denial of Service (DoS)
  • We think of computer systems as providing services to authorized users.
  • When a system is deliberately made to crash, or made to run legitimate users' programs so very slowly that it is unusable, we refer to it as a "denial of service attack."
  • The attacker accomplishes this by running certain cleverly composed programs, and is pre-aware of the consequences. 

Security Awareness 2014

black hats v white hats
Black Hats v. White Hats
  • Black hats are the "bad" guys in that they use their knowledge to unauthorizedly break into even more systems, and pass their knowledge to other insiders.
  • White hats are the "good" guys: they are mostly into forensics and prevention of attacks. 

Security Awareness 2014

vulnerability
Vulnerability, …
  • Vulnerability: A weakness that can be exploited to cause damage.
  • Attack: A method of exploiting a vulnerability.
  • Threat: A motivated, capable adversary that mounts attacks.

Security Awareness 2014

hacker v attacker v intruder
Hacker v. Attacker v. Intruder
  • Hacker = One who programs enthusiastically, even obsessively.
  • An expert at a particular program, as in ‘a Unix hacker’.
  • A hacker enjoys exploring the details of programmable systems and how to stretch their capabilities.
  • A hacker has ethics.

Security Awareness 2014

malware
Malware
  • Any “program” that has a “malicious” intent …
  • Viruses + Worms + Trojans + …

Security Awareness 2014

viruses
Viruses
  • Viruses are "programs" that modify other programs on a computer, inserting copies of themselves. 
  • Viruses are not officiallyprograms:
    • They cannot run on their own.
    • Need to have some host program.
    • When the host program is run, the virus runs.

Security Awareness 2014

worms
Worms
  • Worms are programs that propagate from computer to computer on a network.
  • Worms  can run independently.
  • Worms may have (different) portions of themselves running on many different machines.
  • Worms do not change other programs, although they may carry other code that does.

Security Awareness 2014

trojans
Trojans
  • A Trojan mimics the functionality of its namesake legitimate program.
  • But has a hidden “agenda.”
  • Ex: wu-ftpd Trojan - Login with specific user/password gives a root shell.

Security Awareness 2014

backdoors
Backdoors
  • Also called trap doors.
  • Allow unauthorized access to a system.
  • The absence of backdoors cannot be established.

Security Awareness 2014

system security
System Security
  • “System Security” =

Computer Security + Network Security

  • Trojan Horses, Viruses and Worms
  • Privacy and Authentication
  • TCP/IP exploits
  • Firewalls
  • Secure Configuration of Personal Machines
  • Buffer Overflow and Other Bug Exploitation
  • Writing Bug-free and Secure Software
  • Secure e-Commerce Transactions

Security Awareness 2014

current practices
Current practices

and their problems

improper configuration
Improper Configuration
  • Out of the box installations are rarely properly configured.
  • Standard user accounts with standard passwords.
  • Running unneeded services.
  • Leaving sensitive files read/write-open.

Security Awareness 2014

fortification
Fortification
  • Start with a properly configured system.
  • Delete weak or unneeded components.
  • Add protective layers.
  • Keep detailed logs.

Security Awareness 2014

hardened os
Hardened OS
  • Often “equated” with fortification.
  • Rebuilding an OS from the same source code but by using a more rigorous compiler.
  • Redesigning portions of an OS.
  • Statically v. dynamically configured.

Security Awareness 2014

rootkits
Rootkits
  • “A rootkit is a collection of tools and utilities that attackers use to hide their presence and gather data to help them infiltrate further across the network. Rootkits insert backdoors, install Trojans, and patch existing programs.”
  • Installed after the attacker gains access.
  • Cannot be detected by firewalls or anti-virus scanners.
  • 200+ results for search “rootkit’’ on www.packetstormsecurity.org

Security Awareness 2014

windows rootkit examples
Windows Rootkit Examples
  • null.sys
  • HE4Hook
  • Hacker Defender
  • Slanret
  • He4Hook
  • Vanquish
  • Fu

Security Awareness 2014

linux rootkit examples
Linux Rootkit Examples
  • Linux Rootkit (LRK)
  • TeLeKit
  • Adore
  • Knark
  • t0rnkit
  • Kernel Intrusion System (KIS)

Security Awareness 2014

booting up
Booting Up
  • BIOS
  • OS Kernel
  • Initialization
  • User logins

Security Awareness 2014

boot ini
boot.ini

[boot loader]

timeout=30

default=multi(0)disk(0)rdisk(0)partition(9)\WINDOWS

[operating systems]

C:\bootsect\hdc3grub.bin="Booting From FAT32on120GB"

multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Windows XP Pro r0 p3" /fastdetect

multi(0)disk(0)rdisk(0)partition(9)\WINDOWS="Windows XP Pro r0 p9" /fastdetect

multi(0)disk(0)rdisk(0)partition(14)\WINDOWS="Windows XP Pro r0 p14" /fastdetect

C:\bootsect\hdc3grub.bin="Linux via Grub"

Security Awareness 2014

boot grub menu lst
/boot/grub/menu.lst

timeout 10

default 1

title failsafe

kernel (hd0,6)/boot/vmlinuz root=/dev/hda7 failsafe devfs=nomount hdc=ide-scsi acpi=off

initrd (hd0,6)/boot/initrd.img

title linux-smp

kernel (hd0,6)/boot/vmlinuz-smp root=/dev/hda7 devfs=mount hdc=ide-scsi acpi=off

initrd (hd0,6)/boot/initrd-smp.img

title windows

root (hd0,0)

chainloader +1

Security Awareness 2014

human user authentication
Human User Authentication
  • Something you know
      • (e.g., a password or other secret);
  • Something you have
      • (e.g., smart card, credit card);
  • Something you are
      • (e.g., fingerprints, retinal scan, voice print).

Security Awareness 2014

passwords
Passwords
  • Weak passwords; social engineering.
  • telnet, ftp, … passwords travel the network in the clear; can be sniffed.
  • One Time Passwords

Security Awareness 2014

cryptography
Cryptography
  • "Computationally Infeasible”
      • N = 2^a * 3^b * 5^c * 7^d * ...
  • One way hash function
    • takes a variable-length input sequence of bytes and converts it into a fixed-length sequence.
    • designed to be computationally infeasible to reverse the process

Security Awareness 2014

symmetric keys
Symmetric Keys
  • sender and receiver of a message share a single, common key.
  • If ct = encryption (pt, key), then pt = decryption (ct, key).
  • DES
  • IDEA
  • Blowfish

Security Awareness 2014

public and private keys
Public and Private Keys
  • a public key known to everyone, and a private or secret key known only to the recipient of the message
  • The two keys are mathematically related, yet it is computationally infeasible to deduce one from the other.
  • A global registry of public keys is needed
  • RSA

Security Awareness 2014

man in the middle attack
Man-in-the-Middle Attack
  • The public key-based communication between say Alice and Bob is vulnerable.
  • Let us assume that Mallory, a cracker, not only can listen to the traffic between Alice and Bob, but also can modify, delete, and substitute Alice's and Bob's messages, as well as introduce new ones.  Mallory can impersonate Alice when talking to Bob and impersonate Bob when talking to Alice. Here is how the attack works.
  • Bob sends Alice his public key. Mallory intercepts the key and sends her own public key to Alice.
  • Alice generates a random session key, encrypts it with "Bob’s" public key (which is really Mallory's), and sends it to Bob.
  • Mallory intercepts the message. He decrypts the session key with his private key, encrypts it with Bob's public key, and sends it to Bob.
  • Bob receives the message thinking it came from Alice. He decrypts it with his private key and obtains the session key.
  • Alice and Bob start exchanging messages using the session key. Mallory, who also has that key, can now decipher the entire conversation.

Security Awareness 2014

buffer overflow
Buffer Overflow

“Quick: What's the computer vulnerability of the decade?  It's not the Y2K bug, according to computer science and security analysts, but a security weakness known as the buffer overflow .”

  • Executable code is injected on to the runtime stack.
  • The return address that was on the stack is modified to point to the beginning of this code.
  • The executable code chosen produces a shell.
  • A root-privileged program is so exploited; so, you are r00ted.

Security Awareness 2014

buffer overflow1
Buffer Overflow
  • Many of the Top 20 vulnerabilities are buffer overflow problems.
  • Caused by a simple class of programming errors.
  • C and its promiscuous style.

Security Awareness 2014

network security
Network Security

Ethernet is a broadcast medium.

So is: wifi

Packet switching.

Security Awareness 2014

security of the connection
Security of the Connection
  • Least secure: Wireless networking
  • Second least secure: Always-on wired connections
  • Second most secure: Intermittent wired connections (dial-up)
  • Most secure: Never connected.

Security Awareness 2014

tcp ip design problems
TCP/IP Design Problems
  • Designed with too little concern for security.
  • All data, including various fields in the protocol headers, are sent in the clear.
  • Sender and Receiver in the packet can be spoofed.

Security Awareness 2014

ip4 spoofing
IP4 Spoofing
  • IP address: a.b.c.d, 4-bytes.
  • IP packet contains the IP addresses of sender and receiver.
  • Everything in the clear.
  • IP spoofing replaces the IP address of (usually) the sender or (in rare cases) the destination with a different address.
  • Services that authenticate based on the IP addresses are vulnerable. 
      • RPC,  NFS, r-commands (rlogin, rsh, rcp, etc.), X windows, …

Security Awareness 2014

ip fragment attacks
IP Fragment Attacks
  • When packets are too large to be sent in a single IP packet, due to interface hardware limitations for example, they can be split up by an intermediate router.
  • The final destination will reassemble all the fragments of an IP packet.
  • Attackers create artificially fragmented packets in order to circumvent firewalls that do not perform packet reassembly. 
  • In the IP layer implementations of nearly all OS, there are bugs in the reassembly code.
  • Attackers create fragments that trigger these bugs.

Security Awareness 2014

tcp exploits
TCP Exploits
  • The SYN Flood
  • Connection Killing by RST
  • Closing a Connection by FIN
  • Connection Hijacking

Security Awareness 2014

covert channels
Covert Channels
  • Sending of “data” not in the payload, but via other “places.”
  • Headers.
  • Sequence numbers.

Security Awareness 2014

probing
Probing
  • Port Scanning is one of the most popular among the reconnaissance techniques.
      • Find open ports
      • Fingerprint the OS
  • Stealth scan, Bounce scan, …
  • nmap

Security Awareness 2014

sniffers
Sniffers
  • A packet sniffer is a program that eavesdrops on the network traffic.
  • It copies packets as they pass the NIC.
  • An NIC in the normal mode reads packets destined to its specific MAC address, and all other packets are ignored.
  • An NIC in promiscuous mode, receives all packets regardless of the MAC address.

Security Awareness 2014

distributed denial of service ddos
Distributed Denial of Service (DDoS)
  • Several machines participate in a DoS attack of a victim.
  • These participants are often compromised innocent machines serving the “attacks.”
  • A remote client triggers the attack servers.

Security Awareness 2014

dns attacks
DNS Attacks
  • Domain Name Service protocol is inherently vulnerable.
  • DNS cache poisoning.
  • BIND 8 is the most popular DNS server.
  • DNS servers running BIND are not up to date with security patches and software updates.
  • On October 21, 2002, 9 of the 13 root name servers were the target of a DDoS attack.

Security Awareness 2014

mobile computing
Mobile Computing

Security Awareness 2014

smart phones
Smart Phones
  • Highly capable networked computer systems
    • Quad-core 1.2 GHz CPUs
    • 1 GB RAM
    • 16 GB persistent storage
  • Standard : GSM, Wi-Fi, GPS, Bluetooth, camera, microphone, various sensors
  • Used by millions of computer-illiterates
  • Constrained by battery capacity

Security Awareness 2014

android devices 2014
Android Devices 2014

Security Awareness 2014

android security
Android Security
  • Soon to match PCs in malware
  • Kaspersky reports attacks per month
    • Aug 2013: 69,000
    • Mar 2014: 650,000
  • Pocket Spy?
  • Hot Research Topic
    • 1000+ papers
    • Permissions: 500+
    • Privacy improvements: 50+

Security Awareness 2014

security software
Security Software
  • Secure Shell, PGP, …
  • Firewall Kits
  • Tools
    • Top 50 Security Tools survey from www.nmap.org
    • http://www.packetfactory.net
    • nmap, SAINT, …
    • tcpdump, ethereal, snort, …
    • Password cracking
    • Tcpwrapper

Security Awareness 2014

ssh secure shell
SSH (Secure Shell)
  • telnet, rlogin, … do not authenticate the remote machine; SSH does.
  • The password that the user types as part of the login ritual is sent as clear text by telnet and rlogin; SSH sends it encrypted.
  • The data being sent and received by the RTF is also sent as clear text; SSH sends and receives it in encrypted form.

Security Awareness 2014

ssh secure shell1
SSH (Secure Shell)
  • ssh1 v. ssh2
  • SSH exploits do exist.
  • Susceptible to man in the middle attack
  • Encryption and decryption consumes computing and elapsed time.
  • Can be a nuisance. If the remote system has been legitimately reinstalled ...

Security Awareness 2014

ssh client and servers
SSH client and servers
  • ssh
  • putty
  • ttermpro
  • openssh

Security Awareness 2014

vpn virtual private network
VPN (Virtual Private Network)
  • Data travels over public networks, usually the Internet.
  • The information needed to allow the data packets to be routed between the source node and the destination node is available to the public medium as in ordinary TCP/IP traffic,
  • But, all other information is encrypted.
  • PPTP, L2TP, IPsec

Security Awareness 2014

file integrity
File Integrity
  • “Is the file what I installed? Did it change?”
  • Time stamps, file size, … are not reliable.
  • MD5 checksums.

The MD5 algorithm takes as input an arbitrary length byte sequence and produces a 16-byte "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given pre-specified target message digest.

Security Awareness 2014

scanning for viruses
Scanning for “Viruses”
  • Scanners hook themselves in the read/write methods of the file sys.
  • Search for patterns in the file content.
  • Search for specific file names, …
  • Can yield false positives.
  • Can miss identifying malware.

Security Awareness 2014

packet filters
Packet Filters
  • Drop packets based on matching certain parts: IP addresses, port numbers, protocols, flags.
  • Network Address Translation - NAT
  • IP port forwarding
  • iptables -A FORWARD -d ! 192.168.17.0/24 -i eth1 -j prvt-extrn iptables -A FORWARD -s 130.108.17.0/24 -i eth2 -j dmz-extrn iptables -A FORWARD -d 130.108.17.0/24 -i eth0 -j extrn-dmz iptables -A FORWARD -j DROP -l

Security Awareness 2014

firewalls
Firewalls
  • Packet filters
  • Bastion Host
  • Proxy services
  • Stateful Inspection
  • Three Myths of Firewalls
      • Firewalls make the assumption that the only way in or out of a corporate network is through the firewalls; that there are no "back doors" to your network.
      • Firewalls make the assumption that all of the bad guys are on the outside of the firewall, and everyone on the inside of the can be considered trustworthy.
      • With  macros, JavaScript, Java, … executable fragments can be embedded inside data.

Security Awareness 2014

intrusion detection
Intrusion Detection
  • Detect probes.
  • Constantly check file integrity.
  • Constantly check which ports are open and why.
  • Keep detailed logs of suspicious activity on a separate system.

Security Awareness 2014

causes
Causes

Security Awareness 2014

bugs in privileged software
Bugs in Privileged Software
  • Many bugs are exploitable from a security perspective.
    • A simple array-index out of bounds bug can lead to computer being owned by the attacker.
  • 2014 State of the Art:

Cannot produce bug-free software (unless tiny)

Security Awareness 2014

improper configuration1
Improper Configuration
  • Out of the box installations are rarely properly configured.
  • Standard user accounts with standard passwords.
  • Running unneeded services.
  • Leaving sensitive files read/write-open.

Security Awareness 2014

tcp ip design problems1
TCP/IP Design Problems
  • Designed with too little concern for security.
  • All data, including various fields in the protocol headers, are sent in the clear.
  • Sender and Receiver in the packet can be spoofed.

Security Awareness 2014

os design
OS Design
  • Too focused on performance
  • Not enough on security
  • Too much trust on components
    • E.g., kernel trusts /sbin/init

Security Awareness 2014

further reading
Further Reading

Security Awareness 2014

security web sites
Security Web Sites
  • “There is an oceanic amount of material on network security available over the Internet.” -- A Web Page.
  • 10000+ web sites
  • Select list follows

Security Awareness 2014

a few chosen security websites
A Few Chosen Security Websites
  • www.incidents.org
  • www.cert.org
  • www.cerias.purdue.edu
  • www.securityfocus.com
  • lwn.net/security
  • www.microsoft.com/security
  • www.phrack.org

Security Awareness 2014

mateti security links
Mateti/Security Links
  • CEG 4420 Cyber Security UG coursewww.cs.wright.edu/~pmateti/Courses/4420
  • Android Internals and Security at Amritawww.cs.wright.edu/~pmateti/Courses/7900

Security Awareness 2014